Security

Reply
MVP
Posts: 4,266
Registered: ‎07-20-2011

Certificate Question : Two CPPM each in different locations using different VLANs

[ Edited ]

 

No VIP

 

When I generate the CSR should it look like this :

 

CN:

cppm1.cppm.test.com

 

DNS:

cppm2.cppm.test.com,

IP:

10.2.100.101,

IP:

10.2.101.1102,

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Certificate Question : Two CPPM each in different locations using different VLANs

Check out the document here:  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13734

 

I think you are looking for a clustered deployment.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Certificate Question : Two CPPM each in different locations using different VLANs

Thanks Colin,  so I guest it shouldn't matter if the SAN is FDQN is attached to a different IP address ?

 

CN:CPPM1.testing.com

 

SAN:

DNS:CPPM2.testing.com

IP:10.2.100.200

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Certificate Question : Two CPPM each in different locations using different VLANs

If you are using the same certificate for two different boxes, all their ip addresses and DNS names need to be in there.

 

"SAN – Subject Alternate Name

The subject alternative names (SubjectAltName) extension allows one SSL certificate to be used to secure one Web server with multiple names (such as a different DNS name, IP address or URI). Alternatively, the SubjectAltName extension can be used to secure up to two virtual Web servers using the same SSL certificate. "

 

"It is imperative that we configure the system with a Fully-Qualified-Domain-Name (FQDN). I’ve intentionally made an error to highlight that if you want to use a Subject Alternate Name (SAN) attribute in the certificate creation it must begin with uppercase DNS, IP or URI not lowercase letters. Multiple SAN’s entries can be entered comma delimited and there can be a mix of DNS and IP values."

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Certificate Question : Two CPPM each in different locations using different VLANs

 

Thanks for the confirmation

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Certificate Question : Two CPPM each in different locations using different VLANs

Remember if you use the San field the cn field is ignored so you need to put both fqdns in the San field

Cn=server1
San= server1, server2, ip1, ip2

The ips are optional. You only need them if you don't use dns on all redirects.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Moderator
Posts: 482
Registered: ‎11-09-2012

Re: Certificate Question : Two CPPM each in different locations using different VLANs

Victor,

 

Did we not cover this in email yesterday, or is this a different opportunity? ..... as Colin points out take a look at my CPPM PKI 101 Guide.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Certificate Question : Two CPPM each in different locations using different VLANs

If I redo my public certificate and add a 2nd server using the San field. Will this cause 802.1x clients to present error upon next connect because certificate has changed?
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Certificate Question : Two CPPM each in different locations using different VLANs

Unless you use a supplicant configuration utility to configure your clients, they will most likely be prompted to accept the new certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: